NATIONAL CYBERSECURITY STRATEGY - NIS Capacities

In 2006, the Ministry of Communications and Works (MCW) approved a policy document3, through which a number of specific actions in the area of network and information security are promoted, via OCECPR: the formation of Computer Emergency Response Teams (CERTs / CSIRTs), the creating of an institutional framework for the security and integrity of information infrastructures, and the raising of awareness of all stakeholders and Cypriot society about relevant security matters.
In 2010, upon recommendations by OCECPR which were received favourably by ENISA, MCW also approved a detailed policy document4 regarding the operation of a governmental and an academic CERT. The Cypriot CERTs are being formed with the extension potential to cover the private business sector at a later stage. The founding of the CERTs has been formalised via secondary legislation P.I.358/2010.

Within 2012, new provisions are being introduced into The Regulation of Electronic Communications and Postal Services Law of 2004 (112 - 2004), which stem from the new Regulatory Framework for Electronic Communications5 and which cover matters related to network and information security. These new provisions have been applied, on a European level, since 25th May 2011.
The Republic of Cyprus, in cooperation with the relevant stakeholders, has committed, via the Telecommunications Ministerial Council, to contribute to European and international collaboration for responding to threats and challenges in cyberspace.

In 2017, at the Conference titled "How S@fe is your Business?", George Michaelides, Commissioner of Electronic Communications & Postal Regulation (OCECPR), spoke about the new Network and Information Security (NIS) directive which applies to operators of "essential services” in "critical sectors” .
The Commissioner that the vision of the Cybersecurity Strategy of the Cyprus Government is the protection of all critical information infrastructures of the state and the operation of information and communication technologies with the necessary levels of security, for the benefit of every citizen, the economy and the country itself.
The Commissioner also stated that building awareness for SMEs is very important as well because if these companies are attacked, the whole economy of the state is affected.

Operational capacity building

The Office of the Commissioner of Electronic Communications and Postal Regulation (OCECPR) is an independent regulatory authority of the Republic of Cyprus in matters of electronic communications and postal services, with additional responsibilities in the areas of terminal equipment, network and information security and protection of critical information infrastructures. It has been designated as the body responsible for coordinating the implementation of the National Cybersecurity Strategy of the Republic of Cyprus, which concerns the pillars of network and information security (cybersecurity), cybercrime, cyberdefence and related external affairs.

OCECPR is responsible for the creation and coordination of a body or bodies for response to incidents related to Network and Information Security (CSIRTs - Computer Security Incident Response Teams or CERTs - Computer Emergency Response Teams) in Cyprus. It also supervises and regulates the activity of the above CSIRT / CERT entities.

OCECPR, with secondary legislation, sets minimum standards for the security of public networks and networks that offer electronic communications services to third parties, and monitors the level of implementation of relevant organisational, procedural and technical measures. It is also responsible for receiving security breach notifications, related to the networks and personal data of the consumers, and disseminating them as deemed necessary for national level cooperation, but also to other Member States of the European Union, ENISA and the European Commission.

Legal conditions

The main laws in the field of cybercrime in Cyprus are:
1. The Law ratifying the Convention on Cybercrime (Budapest Convention), L.22(III)/2004. This legislation covers hacking, child pornography and fraud committed via electronic communication and the Internet.
2. The Law that revises the legal framework on the prevention and combating the sexual abuse and sexual exploitation of children and child pornography, L 91(I)/2014. This legislation ratifies the EU Directive 2011/93/ΕΕ and covers child pornography, grooming and notice and takedown.
3. The Law ratifying the Additional Protocol to the Convention on Cybercrime, concerning the Criminalization of Racist and Xenophobic acts, L.26(III)/2004. This legislation covers racism and xenophobia via computer systems and the Internet.
4. The Law on the Processing of Personal Data, L.138(I)/2001.
5. The Law on the Retention of Telecommunication data for the investigation of serious offences, L. 183(I)/2007. This legislation transposed Directive 2006/24/JHA. Although the Directive was invalidated by the Court of Justice of the EU, the national law is still valid. The national law is founded on a constitutional provision and it includes specific safeguards for the protection of privacy; for example, communication data are released only following a court order. A case was recently filed with the Supreme Court on the impact of the annulment of the EU Directive on Law 183(I)/2007 and the Supreme Court found that it complied with the European Convention of Human Rights.
6. Law 112(I)/2004 Regulating Electronic Communication and Postal Services.
7. Law implementing Directive 2013/40/EU on attacks against information system, 147(i)/2015.

Business and Public private partnerships

There is public-private co-operation on awareness of cybersecurity and in the creation of a cybercrime centre of excellence. A biennial CYpBER conference provides a liason between Cyprus government and private sector representatives dealing with cybersecurity concerns (mostly related to oil and gas industry).

Other capacity-building measures: research and education

The strategy includes a dedicated chapter on training and capacity development, including:

Creation of a suitable workforce with the necessary specialised knowledge.

Inclusion of relevant certifications and experience into job descriptions that relate to electronic security.

Support activities in Cypriot higher education institutions in the area of network and information security, through the inclusion of electronic security topics in their curricula and the institution of related research programmes.

The Cyprus Cybercrime Center of Excellence (3CE), http://www.3ce.cy/en/, provides short-term, highly focused and specialised training seminars on cybercrime-related issues for public and private sector participants. Courses facilitate the exchange and diffusion of tacit knowledge and expertise and familiarise participants with new technologies and tools, and improve their day-to-day activities related to the Cybercrime area. University courses on Cybercrime developed and delivered to stakeholders will provide better understanding of the legal and technical elements of cybercrime for new generation scientists. Courses will be made available under creative commons licensing terms for LEAs worldwide. 3CE aspires to become an exemplary Centre of Excellence in the area of Cybercrime by conducting research in relevant fields, focusing particularly on areas dealing with forensic analysis, intrusion detection systems of critical information infrastructures, and legal aspects of cybercrime.

Implementation & Monitoring

The competent/related authorities that are involved at this stage are the following:

Office of the Commissioner of Electronic Communications and Postal Regulation (OCECPR)

Department of Information Technology Services (DITS)

Cyprus Police

National Guard General Staff

National Security Authority

Central Intelligence Service

Office of the Commissioner for Personal Data Protection

Ministry of Communications and Works (MCW)

Department of Electronic Communications (DEC)

Civil Defence Force

Cyprus Fire Service

Unit for Combating Money Laundering

It is noted that the competent authority of the Republic of Cyprus that has responsibilities relating to Classified Information (CI) and European Union Classified Information (EU CI) is the National Security Authority.

Overall assessment/best practices

Public-private co-operation on awareness of cybersecurity and creation of a Cybercrime Centre of Excellence (3CE), which provides short-term, highly focused and specialised training seminars on cybercrime-related issues for public and private sector participants.
Creation of a suitable workforce with the necessary specialised knowledge.

KIOS CoE strives to create a regional research and innovation ecosystem in the area of ICT, resulting in major economic and societal benefits for Cyprus and Europe as a whole, by cultivating a vibrant research and innovation cluster in high technology areas linking universities, technology companies and end users, government agencies, as well as enterprise support companies.